Sneaky iOS (Malware?) Surfaces in App Store, Says Kaspersky

Apple’s closed model, while criticized by many, has kept iPhone and iPad users relatively safe from malware and other potentially malicious apps, especially when compared to Android users.

While some iOS apps have been called into question before over privacy concerns and aggressive advertising tactics, Kaspersky Lab researchers are saying they have discovered an iOS app that they are outright calling malware.

The app in question is “Find and Call,” an app that Kaspersky is classifying as malware based upon the fact that it grabs a users phonebook details (without first notifying the user) and sends spam SMS messages to all contacts, appearing to be initiated from the user. (A version of the app is also available for Android, but for this story we’ll focus on the iOS version)

Kaspersky said it was tipped off about the app when Russian mobile carrier MegaFon reached out about the suspicious app. After taking a first look into the app, Kasperky’s mobile security guru Denis Maslennikov said they believed it to be an SMS worm being spread by sending messages to contacts stored in the address book.

“However, our analysis of the iOS and Android versions of the same application showed that it’s not an SMS worm but a Trojan that uploads a user’s phonebook to remote server,” Maslennikov wrote in a blog post. “The 'replication' part is done by the server - SMS spam messages with the URL to the application are being sent from the remote server to all the contacts in the user’s address book.”

At first, one may think that while the features may raise privacy concerns, they may not necessarily be malicious, as many legitimate apps, for one reason or another, access and sometimes capture information from address books.

But this app is certainly malicious, Maslennikov says. Why? “Both apps upload user’s phone book to remote server and use it for SMS spam,” he said.

Following Maslennikov’s blog post, he noted that AppleInsider.ru was able to connect with the author who sprung to its defense, saying in an English translation, “[The} system is in process of beta-testing. In result of failure of one of the components there is a spontaneous sending of inviting SMS messages. This bug is in process of fixing. SMS are sent by the system, that is why it won't affect your mobile account.”

The company appearing to be behind the app describes itself as follows: “Our company develops and introduces new innovational products in the sphere of the Internet and telephony. The project, on the web-site of which you are right now, has been started in 2006, and only in summer 2011 we have decided that it is good enough to bring it to beta-testing and to open it for first users.”

While the Find and Call app should certainly should raise red flags, it’s unclear to what extent the authors plan to use the harvested data, and if it would be used beyond the blatant spam attempts to promote its own products. In fact, many online web services and apps often trick users into blindly promoting products, often via a Twitter connection or auto-emailing to address books.

Earlier this year, Symantec issued a warning on a set of Android apps that it said were a bot-like threat, but in reality were just using a third party ad service (Apperhand) that essentially made the apps adware, but not necessarily malware.

Will Find and Call really be marked as the first true malware to work its way into Apple’s official App Store? That's a tough call. If the company adds a simple disclosure or approval step before sending out SMS promotions, would it still be classified as malware?

"Yes, these pieces of malware are not that ‘cybercriminalistic’," Maslennikov opined. "But malware is malware and in this case it steals user’s phone book and uses it for SMS spam. And we’re sure that there must be strict and quick response to such incidents."

Kaspersky Lab detects them as Trojan.AndroidOS.Fidall.a and Trojan.IphoneOS.Fidall.a.

At the time of publishing, FindAndCall is still available via Apple's AppStore.

For more than 10 years, Mike Lennon has been closely monitoring and analyzing trends in the enterprise IT security space and the threat landscape. In his role at SecurityWeek he oversees the editorial direction of the publication and manages several leading security conferences.